×

Message

PLG_KUNENADISCUSS_DEPENDENCY_FAIL

NEXT-GENERATION FIREWALLS

 

 

When we talk about the Cisco Next-Generation firewalls we are talking about the following models of Cisco ASA Firewalls.

 

ASA 5506-X with FirePOWER Services

ASA 5506W-X with FirePOWER Services

ASA 5506H-X with FirePOWER Services

ASA 5508-X with FirePOWER Services

ASA 5516-X with FirePOWER Services

ASA 5525-X with FirePOWER Services

ASA 5545-X with FirePOWER Services

ASA 5555-X with FirePOWER Services

ASA 5585-X with FirePOWER SSP-10

ASA 5585-X with FirePOWER SSP-20

ASA 5585-X with FirePOWER SSP-40

ASA 5585-X with FirePOWER SSP-60

 

The proliferation of mobile devices and the need to connect from any place are radically changing the enterprise security landscape. Social networking sites such as Facebook and Twitter long ago moved beyond mere novelty sites for teens and geeks and have become vital channels for communicating with groups and promoting brands.

 

Security concerns and fear of data loss are leading reasons why some businesses don’t embrace social media, but many others are adopting social media as a vital resource within the organization. Some of the risks associated with social media can be mitigated through the application of technology and user controls. However, there’s no doubt that criminals have used social media networks to lure victims into downloading malware and handing over login passwords.

 

 

Before today’s firewalls grant network access, they need to be aware of not only the applications and users accessing the infrastructure but also the device in use, the location of the user, and the time of day. Such context-aware security requires a rethinking of the firewall architecture. Context-aware firewalls extend beyond the next-generation firewalls on the market today. They provide granular control of applications, comprehensive user identification, and location-based control. The Cisco ASA 5500-X Series next-generation firewalls are examples of context-based firewall solutions.

 

The Cisco ASA family provides a very comprehensive set of features and next-generation security capabilities. For example, it provides capabilities such as simple packet filtering (normally configured with access control lists, or ACLs) and stateful inspection. The Cisco ASA also provides support for application inspection/awareness. It can listen in on conversations between devices on one side and devices on the other side of the firewall. The benefit of listening in is so that the firewall can pay attention to application layer information.

 

The Cisco ASA also supports network address translation (NAT), the capability to act as a Dynamic Host Configuration Protocol (DHCP) server or client, or both. The Cisco ASA supports most of the interior gateway routing protocols, including Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF). It also supports static routing. The Cisco ASA also can be implemented as a traditional Layer 3 firewall, which has IP addresses assigned to each of its routable interfaces.

 

The other option is to implement a firewall as a transparent (Layer 2) firewall, in which the actual physical interfaces receive individual IP addresses, but a pair of interfaces operate like a bridge. Traffic that is going across this two-port bridge is still subject to the rules and inspection that can be implemented by the ASA. Additionally, the Cisco ASA is often used as a head-end or remote-end device for VPN tunnels for both remote-access VPN users and site-to-site VPN tunnels. It supports IPsec and SSL-based remote access VPNs. The SSL VPN capabilities include support for clientless SSL VPN and the full AnyConnect SSL VPN tunnels.

 

THE END.

 

 

 

002. NETWORK SECURITY DEVICES AND CLOUD SERVICES

To be able to successfully accomplish a given task or job will major depend on having the right tools to accomplish the task. So is it with cyber security and network security. You need to know what you will require to successfully protect your company/organization’s assets from unwanted individuals such as threat actors. This is what this section is all about. We are going to look at different devices that you may need in your organization to protect yourself.

 

Many network security devices have been invented throughout the years to enforce policy and maintain visibility of everything that is happening in the network. These network security devices include the following:

 

1.     Traditional and next-generation firewalls

2.     Personal firewalls

3.     Intrusion detection systems (IDSs)

4.     Traditional and next-generation intrusion prevention systems (IPSs)

5.     Anomaly detection systems

6.     Advanced malware protection (AMP)

7.     Web security appliances

8.     Email security appliances

9.     Identity management systems

 

We shall explore each of the above security devices and how they fit in the jigsaw puzzle of security.

 

TRADITIONAL FIREWALLS

 

 

Before we dive into different traditional firewall devices, first let us define what a firewall is? A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

 

Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.  A firewall can be hardware, software, or both.

 

When we talk about traditional firewall we are referring to the previous generation of Cisco security firewall. They include the following models which may be familiar to most of you:

 

Ø ASA 5505

Ø ASA 5510

Ø ASA 5520

Ø ASA 5540

Ø ASA 5550

Ø ASA 5580

Ø 

 When we talk about traditional firewalls we are referring to the above Cisco security firewalls.

 

A firewall is deployed between two networks: a trusted network and an untrusted network. The trusted network is labeled as the “inside” network, and the untrusted network is labeled as the “outside” network. The untrusted network in this case is connected to the Internet. This is the typical nomenclature you’ll often see in Cisco and non-Cisco documentation.

 

When firewalls are connected to the Internet, they are often referred to as Internet edge firewalls.

 

Several firewall solutions offer user and application policy enforcement in order to supply protection for different types of security threats. These solutions often provide logging capabilities that enable the security administrators to identify, investigate, validate, and mitigate such threats.

 

Network-based firewalls provide key features that are used for perimeter security, such as network address translation (NAT), access control lists (ACLs), and application inspection. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Firewalls are often deployed in several other parts of the network to provide network segmentation within the corporate infrastructure and also in data centers.

 

VIRTUAL FIREWALLS

Firewalls can also be deployed as virtual machines (VMs). An example of a virtual firewall is the Cisco ASAv. These virtual firewalls are often deployed in the data center to provide segmentation and network protection to virtual environments. They are typically used because traffic between VMs often does not leave the physical server and cannot be inspected or enforced with physical firewalls.

 

  

THE END FOR NOW.

 

 

ARE YOU INTERESTED IN A CAREER IN CYBER SECURITY OR ANY FIELD IN NETWORKING?

We are truly living in exciting times as far as technology is concerned. Billions of different devices have already been connected to the internet and many more will be connected as time goes by. Smart cars, smart houses, smart grid, smart factories, just to name a few have seen the rise and need to have devices connected to achieve operational efficiency and safety.

 

With the rise of many devices connected to the internet/network comes the challenge and risk of security breaches from threat actors. Every connected unsecured device gives the bad guys an opportunity to cause mayhem.

 

 Cisco has introduced a certification specifically designed to deal with cyber security. And this certification is known as Cisco Certified Network Associate Cyber Ops (CCNA Cyber Ops). Now let me briefly talk about this certification and then later on I will deal with all other Cisco certification that you can choose to specialize and have a career in.

 

CISCO CCNA CYBER OPS CERTIFICATION

Today's organizations are challenged with rapidly detecting cybersecurity breaches and effectively responding to security incidents. Teams of people in Security Operations Centers (SOC’s) keep a vigilant eye on security systems, protecting their organizations by detecting and responding to cybersecurity threats. CCNA Cyber Ops prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.

 

 

 

 

For you to be a CCNA Cyber Ops Certified, you have to pass two required exams which are:

·        210-250 SECFND

·        210-255 SECOPS

 

There are no prerequisites to taking these exams.

 

 

STUDY MATERIALS

For you to be good at something you must know a lot if not everything about it. In the same way for you to excel a really good and exceptional Cyber Security expert you must know your trade really well. Over many years now Cisco Press has been able to provide official certification guides/material that is specifically tailored towards passing whichever Cisco certification you want to do.

 

If you are really serious about becoming an expert and competent network engineer the there is no option but to make www.ciscopress.com your best friend. Visit the website, create an account, buy any book (Hard copy or soft copy [PDF]) that you want in whichever certification that you want to pursue and get your networking career started.

 

This link takes you straight to the two books that you need to study to pass the two required CCNA Cyber Ops exams and get the Certificate. The link is  http://www.ciscopress.com/markets/detail.asp?st=99187 

 

The two books are:

210-250 SECFND

 

 

210-255 SECOPS

 

 

 

OTHER CISCO CERTIFICATIONS

Cisco Systems offers other networking certifications that virtually covers everything in networking. It begins from the Entry level, then Associate level, then the Professional level and last but not least the Expert level. We shall now look at each of these levels and the certifications found in each.

 

ENTRY LEVEL CERTIFICATIONS

1.     Cisco Certified Entry Networking Technician (CCENT)

 

2.     Cisco Certified Technician (CCT)

 

 

Both the CCENT and the CCT certifications serve as starting points for individuals interested in starting a career as a networking professional.

 

 

ASSOCIATE LEVEL CERTIFICATIONS

CCNA stands for Cisco Certified Network Associate. The Associate level of Cisco Certifications can begin directly with CCNA for network installation, operations and troubleshooting or CCDA for network design. Think of the Associate Level as the foundation level of networking certification. They are:

 

1.     CCDA (Network Design)

2.     CCNA Cloud

3.     CCNA Collaboration

4.     CCNA Cyber Ops

5.     CCNA Data Center

6.     CCNA Industrial (IoT/IoE)

7.     CCNA Routing and Switching

8.     CCNA Security

9.     CCNA Service Provider

10.                        CCNA Wireless

 

 

PROFESSIONAL LEVEL CERTIFICATIONS

CCNP stands for Cisco Certified Network Professional. The Professional level is an advanced level of certification that shows more expertise with networking skills. Each certification covers a different technology to meet the needs of varying job roles. They are:

 

1.     CCDP (Network Design)

2.     CCNP Cloud

3.     CCNP Collaboration

4.     CCNP Data Center

5.     CCNP Routing and Switching

6.     CCNP Security

7.     CCNP Service Provider

8.     CCNP Wireless

 

EXPERT LEVEL CERTIFICATIONS

CCIE stands for Cisco Certified Internetwork Expert. The Cisco Certified Internetwork Expert (CCIE) certification is accepted worldwide as the most prestigious networking certification in the industry, period. This is the aim and dream of every network engineer and so should be yours if you plan to venture into computer networking as a career or you are already in networking. They are:

 

1.     CCDE (Network Design)

2.     CCIE Collaboration

3.     CCIE Data Center

4.     CCIE Routing and Switching

5.     CCIE Security

6.     CCIE Service Provider

7.     CCIE Wireless

 

 

And there you have it. All the best in whichever path you may choose to venture in.

 

 

THE END.

 

001. WELCOME TO THE WORLD OF CYBER SECURITY OPS

 

And here we are, dealing with one of the hottest topics in the IT industry. Two days or a full week can never go by before we hear a security incident happening somewhere on our planet. Threat actors’ motive being anything from notoriety, to financial gain. Today it is not only the job of network and cyber security engineers to keep us safe but each and every one of us has a role to play.

 

Due to the importance of cyber security in our world today, we are going to focus and dive in into different technologies and ways in which network engineers and cyber security specialists can employ to keep and have a safe working environment for all users.

 

So what is cyber security?  Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security.

 

 

 

 

Cyber security includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection. Also, due to malpractice by operators, whether intentional, accidental, IT security is susceptible to being tricked into deviating from secure procedures through various methods.

 

The field is of growing importance due to the increasing reliance on computer systems and the Internet, wireless networks such as Bluetooth and Wi-Fi, the growth of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things.

 

One of the most problematic elements of cybersecurity is the quickly and constantly evolving nature of security risks. The traditional approach has been to focus most resources on the most crucial system components and protect against the biggest known threats, which necessitated leaving some less important system components undefended and some less dangerous risks not protected against. Such an approach is insufficient in the current environment.

 

To deal with the current environment, advisory organizations are promoting a more proactive and adaptive approach. The National Institute of Standards and Technology (NIST), for example, recently issued updated guidelines in its risk assessment framework that recommended a shift toward continuous monitoring and real-time assessments.

 

According to Forbes, the global cybersecurity market reached $75 billion for 2015 and is expected to hit $170 billion in 2020.

 

 

THE END.

 

 

GROUP ENCRYPTED TRANSPORT VPNs (GET VPNs)

 

The Cisco Group Encrypted Transport Virtual Private Network (GET VPN) technology is a solution that allows easy deployment of a complex, redundant, fully meshed VPN. Fully meshed VPNs are typically challenging from a scalability and manageability standpoint. These kinds of deployments with a large number of sites are typically avoided because of their complexity.

 

GET VPNs provide large-scale, connectionless, tunnel-free transmission protection that takes advantage of an existing routing infrastructure. Even though it can be used with Multiprotocol Label Switching (MPLS), IP, Frame Relay, and ATM networks, it is an ideal cryptographic solution for MPLS VPNs that need site-to-site encryption.

 

With the introduction of GET VPNs, Cisco makes available a new category of VPN that does not require a tunnel. By removing the need to establish point-to-point tunnels, branch networks can scale larger and still maintain the network intelligence features that are necessary for voice and video quality, such as quality of service (QoS), routing, and multicast. GET VPNs provide a new standards-based IPsec security model that uses the concept of “trusted” group members. Trusted member routers use a common security methodology that is independent of requiring any point-to-point IPsec tunnel relationship.

 

GET VPNs can be deployed in a variety of WAN topologies, including IP and MPLS. MPLS VPNs that use GET achieve high availability, manageability, and cost-effectiveness while meeting transmission protection requirements. GET VPNs provide a flexibility that enables enterprises to manage their own security over a service provider WAN or to offload the encryption services to the provider. GET VPNs simplify large Layer 2 or MPLS networks that need partial or full meshed connectivity.

 

 

PEER AUTHENTICATION AND POLICY PROVISIONING

Group controller/key servers (GCKS), also known as key servers (KS), and group members are the two key components that comprise the GET VPN architecture. The key server authenticates all group members, performs admission control to the GET VPN domain, and creates and supplies group authentication key as security associations (SA) to group members. Group members provide transmission protection to sensitive site-to-site (member-to-member) traffic.

 

Key servers distribute keys and policies to all registered and authenticated group member routers. Key distribution and management are made easier because of the centralized distribution of keys and policies.

 

All communication between a key server and group members is encrypted and secured using the Internet Key Exchange (IKE) Group Domain of Interpretation (GDOI) protocol. IKE GDOI is a standards-based Internet Security Association and Key Management Protocol (ISAKMP) group key management protocol that provides secure group communications. GET VPNs use IKE GDOI as the group keying mechanism.

 

IKE GDOI supports the use of two keys: Traffic Encrypting Key (TEK) and Key Encrypting Key (KEK):

 

1. TEK: A key that is used to protect traffic between group members

 

2. KEK: A key this is used to protect rekeys (during a key refresh) between key servers and group members

 

The TEK is distributed to all group members by the key server, and they use the TEK to communicate to members of the group and to create and verify IPsec packets. The KEK is also distributed to group members who in turn use it to decrypt incoming rekey messages from the key server.

 

When a registration message is received, the key server generates information that contains the rekey policy (one KEK) and the new IPsec SAs (multiple TEK attributes, traffic encryption policy, lifetime, source and destination information about the traffic that needs to be protected, and the security parameter index (SPI)-ID that is associated with each TEK). The newly created IPsec SAs are then sent to the group members. The key server maintains a table that contains the IP address of each group member and its group association. When a group member registers, the key server adds the new IP address to its associated group table.

 

BENEFITS AND LIMITATIONS

GET VPNs have the following benefits:

1. Very scalable in that the configuration does not grow significantly when adding group members in a full mesh

 

2. Provides scalable support for multicast traffic

 

GET VPNs also have the following limitations:

 

1. VPN addresses must be routable in the transport network. This is because of the use of the original IP header, and in most cases, it prevents GET VPNs from being used over the Internet.

 

2. The compromise of one peer has a larger effect because the group shares session keys.

 

3. Key servers must be available during rekeys and registration for the entire network to operate.

 

 

IMPLEMENTATION

In this demonstration we are going to issue a series of command on the Key Server and group members of the GET VPN deployment to see if our GET VPN deployment is working properly.

 

NETWORK TOPOLOGY DIAGRAM

 

 

VERIFICATION ON THE KEY SERVER (MOIGETECH-KEY-SERVER)

 

Show crypto gdoi

Here we are shown the name of the Group, Group Identity Number, the number of group members that have registered with the key server, group rekey lifetime among other major details about the GET VPN.

 

 

Show crypto gdoi ks policy

The details about the key server policy are shown for both the Key Encryption Key (KEK) policy as well as the Traffic Encryption Key (TEK) policy as shown in the figure below.

 

 

Show crypto gdoi ks acl

Details about the Access Control List that is in the policy of the key Server are shown.

 

 

Show crypto gdoi ks rekey

This command shows us the details about the number of Rekeys sent, the number of rekeys retransmitted among other details shown in the figure below.

 

 

Show crypto gdoi ks member

This command shows us the details about the member routers that have registered with the Key Server.

 

 

VERIFICATION OF GROUP MEMBERS

 

Show crypto isakmp sa and Show crypto isakmp sa detail

This command shows us the details of the IKEv1 Phase 1 details of the tunnel that a group member forms with the Key Server.

 

The Kisii Router:

 

 

The Nairobi Router:

 

 

The Mombasa Router:

 

 

The Kisumu Router:

 

 

Show crypto session

This command shows us the IKEv1 SA and IPSEC sessions between the group member router and the key server.

 

The Kisii Router:

 

 

The Nairobi Router:

 

 

The Mombasa Router:

 

 

The Kisumu Router:

 

 

Show crypto gdoi

Here the details about the GDOI group in this GET VPN is shown such as the Group Name, Group Identity Number, Group Server List among other details.

 

The Kisii Router:

 

 

The Nairobi Router:

 

 

The Mombasa Router:

 

 

The Kisumu Router:

 

 

Show crypto gdoi gm rekey

 Details about the group member rekey details are shown.

 

The Kisii Router:

 

 

The Nairobi Router:

 

 

The Mombasa Router:

 

 

The Kisumu Router:

 

 

Show crypto engine connections active

Details about the IPSec and IKEv1 Phase 1 details are shown. The number of packets encrypted and decrypted is shown as well as the algorithms used.

 

The Kisii Router:

 

 

The Nairobi Router:

 

 

The Mombasa Router:

 

 

The Kisumu Router:

 

 

THE END

 

Go to top